Auditor Manual 4.16.0¶
Introduction¶
The Auditor role uses the same interface as the Administrator and has access to the same information. The key difference is that Auditors have read-only access and cannot make any changes to the system. For example, they cannot delete users, modify settings, or connect to PAM targets.
This manual outlines the specific information an Auditor can view. For a complete guide to the interface, please refer to the Administrator Manual.
The Auditor Dashboard has the same layout as the Administrator Dashboard, with the following sections:
- Management: Profile, Users, Actions, Tokens, PAM, Identity Stores, Tenants, Geofences
- SAML: Service Providers, Identity Provider
- Security: OAuth Clients, Security Policies, Network Policy, Password Rotation Policy
- Insights: Statistics
- Others: Settings, About
Figure 1. Auditor Dashboard Overview
Management¶
Profile¶
See the User Manual and Administrator Manual.
Users¶
Users¶
Auditors can view a list of all users and their general information. The Actions column will be empty, as Auditors cannot perform actions like deleting users.
Figure 2. Users list overview
Invitations¶
Auditors can see the list of all user invitations. The only available action is to copy an invitation link. Re-inviting users or deleting invitations is not permitted.
Figure 3. Invitations list overview
Groups¶
Auditors can view the details of any user group but cannot perform any actions, such as editing or deleting them.
Figure 4. Groups list overview
Actions, Tokens¶
In these sections, Auditors can view the same information as an Administrator. For more details, please see the User and Administrator Manuals.
PAM¶
Targets¶
Unlike Administrators, Auditors can only view the details of PAM targets. They cannot connect to, edit, duplicate, or delete them.
Figure 5. PAM targets overview
Groups¶
Auditors can view the details of PAM target groups, but the Actions column will be empty.
Figure 6. No actions possible in the Actions column for Auditors
Sessions¶
Auditors can view the details of all PAM sessions, but no actions are available in the Actions column.
Figure 7. No actions possible in the Actions column for Auditors
Full-Text Search¶
Auditors have the same search functionalities as Administrators.
Figure 8. Full-Text Search overview
Identity Stores¶
Auditors can see the list of Identity Stores, but they cannot view their details or perform any actions.
Figure 9. No actions possible in the Actions column for Auditors
Tenants¶
Tenant List¶
Auditors can view the details of each tenant but cannot perform any actions from the Actions column.
Figure 10. Tenant list overview
Geofences¶
Geofences¶
Auditors can view the list of all geofences and geofence groups but cannot make any changes.
Figure 11. Geofences overview
Groups¶
Figure 12. Geofence Groups overview
SAML¶
Service Providers¶
Service Providers¶
Groups¶
Identity Provider¶
Security¶
OAuth Clients¶
Figure 13. OAuth Clients overview
Policies¶
Figure 14. Security Policies overview
Network Policy¶
Figure 15. Network Policy overview
Password Rotation Policy¶
Figure 16. Password Rotation Policy overview
Insights¶
Statistics¶
General¶
Figure 17. Statistics overview
Devices¶
Figure 18. Devices overview
Actions¶
Figure 19. Actions overview
Others¶
Settings¶
Email¶
Figure 20. Email settings overview
About¶
Figure 21. About overview
Suggestions for Auditors¶
Auditor Checklist¶
When conducting a PAM audit, the audit team should use a checklist to ensure all items align with the audit's scope and objectives. The process usually involves interviewing key personnel, examining system settings, and reviewing logs to verify compliance.
- Review user access levels.
- Review user actions.
- Review Token usage.
- Review PAM Groups, Sessions, and Full-Text Search results.
- Audit Geofence settings.
- Review Security Policies and Rule Sets.
SIEM Integration and Audit Log Analysis¶
Overview¶
Excalibur supports integration with Security Information and Event Management (SIEM) systems to enable continuous auditing, centralized log analysis, and security monitoring. Integration is based on the standard syslog protocol, ensuring broad compatibility with industry-standard SIEM platforms.
SIEM Compatibility¶
Excalibur supports all SIEM solutions that accept standard syslog input. This vendor-neutral approach allows customers to use their preferred SIEM without requiring custom connectors or proprietary agents.
Key points:
- Protocol: Standard syslog
- Format: SIEM-compatible audit logs
- Compatibility: Any SIEM supporting syslog ingestion
This makes Excalibur suitable for both on-premises and cloud-based security monitoring architectures.
Encryption and Transport¶
Excalibur has been tested with unencrypted syslog.
From a technical perspective, encrypted syslog (for example, syslog over TLS) should also function correctly if supported and configured on the SIEM side.
Any previously mentioned "limitations" refer specifically to log transport encryption, not to SIEM functionality or log content.
Examples of Supported SIEM Platforms¶
Because Excalibur uses the syslog standard, it integrates with common enterprise SIEM solutions such as:
- Splunk Enterprise Security
- IBM QRadar
- Microsoft Sentinel
- Elastic Security (Elastic SIEM)
- LogRhythm
Recommended Monitoring Use Cases¶
Once Excalibur audit logs are ingested into a SIEM, we recommend monitoring for:
- Creation, suspension, or modification of privileged users
- Access to critical or sensitive data
- Unusual activity, such as large or unexpected file deletions
- Changes to user roles or permissions
- Administrative updates to systems, databases, or servers
Benefits¶
Using a SIEM with Excalibur audit logs provides:
- Centralized security visibility
- Faster detection of abnormal or suspicious behavior
- Improved incident investigation
- Support for security audits and compliance requirements